Further compatibility updates.

aff4 · Jul 5, 2019 · 0f8c5cc · 0f8c5cc
1 parent 51afbc0
commit 0f8c5cc
Show file tree

Hide file tree

Showing 28 changed files with 465 additions and 30 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,14 @@
+-- v2.0.5
+
+-- Re-Release of v2.0.4 with different build options enabled.
+
+-- v2.0.4
+
++ Further Improve compatibility with AFF4 producers.
+
 -- v2.0.3
 
-+ Update zip header handling. Add compatibility for c-libaff4 implementation bugs and quirks.
++ Update zip header handling. Improve compatibility with AFF4 producers.
 
 -- v2.0.2
 

diff --git a/INSTALL b/INSTALL
@@ -1,4 +1,4 @@
-libaff4 2.0.1
+libaff4 2.0.6
 
 Requirements:
 -------------

diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
-AFF4 CPP Light v2.0.3
+AFF4 CPP Light v2.0
 -------------
 
-Copyright Schatz Forensic Pty Ltd, 2017-2019
+Copyright Schatz Forensic Pty Ltd, 2017-2018
 
 Released under the LGPL v3.0+
 
@@ -94,6 +94,6 @@ in the container.
 Notes:
 ------
 
-v2.0.3 is a near complete rewrite of the v1.0.0 of the library, and exhibits
+v2.0.0 is a near complete rewrite of the v1.0.0 of the library, and exhibits
 a completely new API model. We did this so we have a simple, easy to read C++ implementation.
 
diff --git a/configure.ac b/configure.ac
@@ -2,7 +2,7 @@
 # Process this file with autoconf to produce a configure script.
 
 AC_PREREQ([2.59])
-AC_INIT([aff4], [2.0.3], [info@evimetry.com])
+AC_INIT([aff4], [2.0.6], [info@evimetry.com])
 AC_CONFIG_HEADERS([aff4config.h])
 AC_CONFIG_SRCDIR([src/aff4.cc])
 AC_CONFIG_MACRO_DIR([m4])

diff --git a/src/AFF4Containers.cc b/src/AFF4Containers.cc
@@ -310,6 +310,9 @@ namespace aff4 {
 		}
 
 		aff4::IAFF4Resolver* createResolver(std::string path, bool scanSubFolders) noexcept {
+#if DEBUG
+			fprintf(aff4::getDebugOutput(), "%s[%d] : Create Resolver : %s, %d \n", __FILE__, __LINE__, path.c_str(), scanSubFolders);
+#endif
 			if (path.empty()) {
 				return nullptr;
 			}
@@ -323,6 +326,9 @@ namespace aff4 {
 			 * See if it exists.
 			 */
 			if (!aff4::util::fileExists(path)) {
+#if DEBUG
+				fprintf(aff4::getDebugOutput(), "%s[%d] : Create Resolver Path doesn't exist? %s, %d \n", __FILE__, __LINE__, path.c_str(), scanSubFolders);
+#endif
 				return nullptr;
 			}
 

diff --git a/src/AFF4Defaults.h b/src/AFF4Defaults.h
@@ -49,6 +49,11 @@
  * XSD Data type prefix
  */
 #define AFF4_XSD_PREFIX  "http://www.w3.org/2001/XMLSchema#"
+
+/**
+ * Black Bag Technologies base URI for custom properties
+ */
+#define BBT_BASE_URI     "https://blackbagtech.com/aff4/Schema#"
 /**
  * The default chunk size
  */

diff --git a/src/AFF4Lexicon.cc b/src/AFF4Lexicon.cc
@@ -72,7 +72,8 @@ static const std::map<aff4::Lexicon, std::string> lexiconMappings = { //
 				{ AFF4_DIGEST_SHA1, (AFF4_BASE_URI "SHA1") }, //
 				{ AFF4_DIGEST_SHA256, (AFF4_BASE_URI "SHA256") }, //
 				{ AFF4_DIGEST_SHA512, (AFF4_BASE_URI "SHA512") }, //
-				{ AFF4_DIGEST_BLAKE2B, (AFF4_BASE_URI "Blake2b") }, //
+				{ AFF4_DIGEST_BLAKE2B, (AFF4_BASE_URI "blake2b") }, //
+				{ AFF4_DIGEST_BLAKE2B_, (AFF4_BASE_URI "Blake2b") }, //
 				{ AFF4_PAGESIZE, (AFF4_BASE_URI "pageSize") }, //
 				{ AFF4_MEMORY_PAGETABLE_ENTRY_OFFSET, (AFF4_BASE_URI "memoryPageTableEntryOffset") }, //
 				{ AFF4_MEMORY_INSTALLED_SIZE, (AFF4_BASE_URI "memoryInstalledSize") }, //
@@ -93,6 +94,14 @@ static const std::map<aff4::Lexicon, std::string> lexiconMappings = { //
 				{ AFF4_TOOL, (AFF4_BASE_URI "tool") }, //
 				{ AFF4_MINOR_VERSION, (AFF4_BASE_URI "toolMinorVersion") }, //
 				{ AFF4_MAJOR_VERSION, (AFF4_BASE_URI "toolMajorVersion") }, //
+
+				/* Black Bag Technologies Custom Properties */
+				{ BBT_APFS_CONTAINER_TYPE, (BBT_BASE_URI "APFSContainerType") }, //
+				{ BBT_APFS_CONTAINER_TYPE_STANDARD , (BBT_BASE_URI "APFSStandardContainerType") }, //
+				{ BBT_APFS_CONTAINER_TYPE_T2, (BBT_BASE_URI "APFST2ContainerType") }, //
+				{ BBT_APFS_CONTAINER_TYPE_FUSION, (BBT_BASE_URI "APFSFusionContainerType") }, //
+				{ BBT_CONTAINS_EXTENTS, (BBT_BASE_URI "ContainsExtents") }, //
+				{ BBT_CONTAINS_UNALLOCATED, (BBT_BASE_URI "ContainsUnallocated") }, //
 		};
 
 namespace lexicon {

diff --git a/src/AFF4Lexicon.h b/src/AFF4Lexicon.h
@@ -243,6 +243,10 @@ enum Lexicon {
 	 * aff4:BLAKE2B
 	 */
 	AFF4_DIGEST_BLAKE2B,
+	/**
+	 * aff4:BLAKE2B
+	 */
+	AFF4_DIGEST_BLAKE2B_,
 
 	/*
 	 * Map information
@@ -347,6 +351,37 @@ enum Lexicon {
 	 * Optional RDF type to define case examiner who performed the acquisition.
 	 */
 	AFF4_CASE_EXAMINER,
+
+	/*
+	 * BlackBag Technologies Custom Properties
+	 */
+
+	/**
+	 * APFS Container type
+	 */
+	BBT_APFS_CONTAINER_TYPE,
+	/**
+	* APFS Container type (T2)
+	*/
+	BBT_APFS_CONTAINER_TYPE_T2,
+	/**
+	* APFS Container type (Fusion)
+	*/
+	BBT_APFS_CONTAINER_TYPE_FUSION,
+	/**
+	* APFS Container type (Standard disk)
+	*/
+	BBT_APFS_CONTAINER_TYPE_STANDARD,
+	/**
+	* Volume/Disk contains extents.
+	*/
+	BBT_CONTAINS_EXTENTS,
+	/**
+	* Volume/Disk contains unallocated regions (sparse).
+	*/
+	BBT_CONTAINS_UNALLOCATED,
+
+
 };
 
 namespace lexicon {

diff --git a/src/RDFValue.cc b/src/RDFValue.cc
@@ -48,7 +48,9 @@ static const std::map<std::string, aff4::Lexicon> aff4Mappings = { //
 				{ (AFF4_BASE_URI "SHA1"), aff4::Lexicon::AFF4_DIGEST_SHA1 }, //
 				{ (AFF4_BASE_URI "SHA256"), aff4::Lexicon::AFF4_DIGEST_SHA256 }, //
 				{ (AFF4_BASE_URI "SHA512"), aff4::Lexicon::AFF4_DIGEST_SHA512 }, //
-				{ (AFF4_BASE_URI "BLAKE2B"), aff4::Lexicon::AFF4_DIGEST_BLAKE2B }, //
+				{ (AFF4_BASE_URI "BLAKE2B"), aff4::Lexicon::AFF4_DIGEST_BLAKE2B }, // Evimetry Legacy
+				{ (AFF4_BASE_URI "Blake2b"), aff4::Lexicon::AFF4_DIGEST_BLAKE2B }, // Evimetry Legacy
+				{ (AFF4_BASE_URI "blake2b"), aff4::Lexicon::AFF4_DIGEST_BLAKE2B }, // AFF4 v1.0 std
 				{ (AFF4_BASE_URI "blockMapHashSHA512"), aff4::Lexicon::AFF4_DIGEST_BLOCK_MAP_HASH_SHA512 }, //
 		};
 

diff --git a/src/codec/CompressionCodec.cc b/src/codec/CompressionCodec.cc
@@ -34,14 +34,29 @@ std::shared_ptr<CompressionCodec> getCodec(aff4::Lexicon resource, uint32_t chun
 	switch (resource) {
 	case Lexicon::AFF4_IMAGE_COMPRESSION_SNAPPY:
 	case Lexicon::AFF4_IMAGE_COMPRESSION_SNAPPY2:
+#if DEBUG
+		fprintf(aff4::getDebugOutput(), "%s[%d] : Create Snappy Decompressor \n", __FILE__, __LINE__);
+#endif
 		return std::make_shared<SnappyCompression>(chunkSize);
 	case Lexicon::AFF4_IMAGE_COMPRESSION_LZ4:
+#if DEBUG
+		fprintf(aff4::getDebugOutput(), "%s[%d] : Create LZ4 Decompressor \n", __FILE__, __LINE__);
+#endif
 		return std::make_shared<LZ4Compression>(chunkSize);
 	case Lexicon::AFF4_IMAGE_COMPRESSION_DEFLATE:
+#if DEBUG
+		fprintf(aff4::getDebugOutput(), "%s[%d] : Create Deflate Decompressor \n", __FILE__, __LINE__);
+#endif
 		return std::make_shared<DeflateCompression>(chunkSize);
 	case Lexicon::AFF4_IMAGE_COMPRESSION_STORED:
+#if DEBUG
+		fprintf(aff4::getDebugOutput(), "%s[%d] : Create Stored Decompressor \n", __FILE__, __LINE__);
+#endif
 		return std::make_shared<NullCompression>(chunkSize);
 	case Lexicon::AFF4_IMAGE_COMPRESSION_ZLIB:
+#if DEBUG
+		fprintf(aff4::getDebugOutput(), "%s[%d] : Create ZLib Decompressor \n", __FILE__, __LINE__);
+#endif
 		return std::make_shared<ZlibCompression>(chunkSize);
 	default:
 		break;

diff --git a/src/image/AFF4Image.cc b/src/image/AFF4Image.cc
@@ -22,7 +22,9 @@ namespace image {
 
 AFF4Image::AFF4Image(const std::string& resource, aff4::container::AFF4ZipContainer* parent) :
 		AFF4Resource(resource), parent(parent) {
-
+#if DEBUG
+	fprintf(aff4::getDebugOutput(), "%s[%d] : Create Image? %s\n", __FILE__, __LINE__, resource.c_str());
+#endif
 	std::shared_ptr<aff4::rdf::Model> model = parent->getRDFModel();
 	// Add information about THIS object to the object properties.
 	std::map<aff4::Lexicon, std::vector<aff4::rdf::RDFValue>> elements = model->getObjectInformation(resource);
@@ -70,6 +72,9 @@ AFF4Image::~AFF4Image() {
 
 std::shared_ptr<aff4::IAFF4Map> AFF4Image::getMap() noexcept {
 	// Find our dependentStream instance.
+#if DEBUG
+	fprintf(aff4::getDebugOutput(), "%s[%d] : Open Map for Image. %s\n", __FILE__, __LINE__, getResourceID().c_str());
+#endif
 	std::vector<aff4::rdf::RDFValue> values = getProperty(aff4::Lexicon::AFF4_DATASTREAM);
 	if (!values.empty()) {
 		aff4::rdf::RDFValue v = values[0];

diff --git a/src/map/AFF4Map.cc b/src/map/AFF4Map.cc
@@ -53,7 +53,7 @@ AFF4Map::AFF4Map(const std::string& resource, aff4::container::AFF4ZipContainer*
 		}
 	}
 #if DEBUG
-	fprintf(aff4::getDebugOutput(), "%s[%d] : Length  %" PRIu64 " (%" PRIx64 ")\n", __FILE__, __LINE__, length, length);
+	fprintf(aff4::getDebugOutput(), "%s[%d] : Map Length  %" PRIu64 " (%" PRIx64 ")\n", __FILE__, __LINE__, length, length);
 #endif
 
 	/*

diff --git a/src/resolver/LightResolver.cc b/src/resolver/LightResolver.cc
@@ -117,6 +117,9 @@ void LightResolver::scanForAFF4Volumes(const std::string& path) {
 						// We don't have this file
 						std::string resID = aff4::container::getResourceID(absoluteFilename);
 						if (!resID.empty()) {
+#if DEBUG
+							fprintf(aff4::getDebugOutput(), "%s[%d] : Adding Volume %s => %s \n", __FILE__, __LINE__, resID.c_str(), absoluteFilename.c_str());
+#endif
 							volumes[resID] = absoluteFilename;
 						}
 					}
@@ -145,6 +148,9 @@ void LightResolver::scanForAFF4Volumes(const std::string& path) {
 					// We don't have this file
 					std::string resID = aff4::container::getResourceID(absoluteFilename);
 					if (!resID.empty()) {
+#if DEBUG
+						fprintf(aff4::getDebugOutput(), "%s[%d] : Adding Volume %s => %s \n", __FILE__, __LINE__, resID.c_str(), absoluteFilename.c_str());
+#endif
 						volumes[resID] = absoluteFilename;
 					}
 				}

diff --git a/src/stream/ImageStream.cc b/src/stream/ImageStream.cc
@@ -156,6 +156,9 @@ uint64_t ImageStream::size() noexcept {
 
 void ImageStream::close() noexcept {
 	if (!closed.exchange(true)) {
+#if DEBUG
+		fprintf(aff4::getDebugOutput(), "%s[%d] : Close aff4:ImageStream %s \n", __FILE__, __LINE__, getResourceID().c_str());
+#endif
 		parent = nullptr;
 	}
 }
@@ -172,11 +175,17 @@ inline uint64_t floor(uint64_t offset, uint64_t size) {
 
 int64_t ImageStream::read(void *buf, uint64_t count, uint64_t offset) noexcept {
 	if (closed) {
+#if DEBUG
+		fprintf(aff4::getDebugOutput(), "%s[%d] : Reading  %" PRIu64 " : %" PRIu64 " on Closed Stream \n", __FILE__, __LINE__, offset, count);
+#endif
 		errno = EPERM;
 		return -1;
 	}
 	// If offset beyond end, return.
 	if (offset > size()) {
+#if DEBUG
+		fprintf(aff4::getDebugOutput(), "%s[%d] : Reading  %" PRIu64 " : %" PRIu64 "? Offset Greater than Stream size \n", __FILE__, __LINE__, offset, count);
+#endif
 		return 0;
 	}
 	// If offset + count, will go beyond end, truncate count.
@@ -185,7 +194,7 @@ int64_t ImageStream::read(void *buf, uint64_t count, uint64_t offset) noexcept {
 	}
 
 #if DEBUG
-	//fprintf( stderr, "%s[%d] : Reading  %" PRIu64 " : %" PRIu64 " \n", __FILE__, __LINE__, offset, count);
+	fprintf( aff4::getDebugOutput(), "%s[%d] : Reading  %" PRIx64 " : %" PRIx64 " \n", __FILE__, __LINE__, offset, count);
 #endif
 
 	uint64_t leftToRead = count;
@@ -201,6 +210,9 @@ int64_t ImageStream::read(void *buf, uint64_t count, uint64_t offset) noexcept {
 		cacheBuffer_t entry = chunkCache->get(chunkOffset);
 		if (entry.second == 0) {
 			// failed to read.
+#if DEBUG
+			fprintf(aff4::getDebugOutput(), "%s[%d] : Reading  %" PRIx64 " : %" PRIx64 " => %" PRIx64 " FAILED READ \n", __FILE__, __LINE__, offset, count, chunkOffset);
+#endif
 			return -1;
 		}
 		uint64_t delta = offset - chunkOffset;
@@ -213,6 +225,9 @@ int64_t ImageStream::read(void *buf, uint64_t count, uint64_t offset) noexcept {
 		leftToRead -= toCopy;
 		buffer += toCopy;
 	}
+#if DEBUG
+	fprintf(aff4::getDebugOutput(), "%s[%d] : Completed Read  %" PRIx64 " : %" PRIx64 " => %" PRIx64 " \n", __FILE__, __LINE__, offset - actualRead, count, actualRead);
+#endif
 	return actualRead;
 }
 

diff --git a/src/stream/ImageStreamFactory.cc b/src/stream/ImageStreamFactory.cc
@@ -20,26 +20,44 @@ namespace aff4 {
 namespace stream {
 
 std::shared_ptr<IAFF4Stream> createZeroStream() {
+#if DEBUG
+	fprintf(aff4::getDebugOutput(), "%s[%d] : Create aff4:Zero stream \n", __FILE__, __LINE__);
+#endif
 	return std::make_shared<SymbolicImageStream>(aff4::lexicon::getLexiconString(aff4::Lexicon::AFF4_IMAGESTREAM_ZERO), (uint8_t) 0);
 }
 
 std::shared_ptr<IAFF4Stream> createUnknownStream() {
+#if DEBUG
+	fprintf(aff4::getDebugOutput(), "%s[%d] : Create aff4:Unknown stream \n", __FILE__, __LINE__);
+#endif
 	return std::make_shared<RepeatedImageStream>(aff4::lexicon::getLexiconString(aff4::Lexicon::AFF4_IMAGESTREAM_UNKNOWN), "UNKNOWN");
 }
 
 std::shared_ptr<IAFF4Stream> createUnknownStream(const std::string& resource) {
+#if DEBUG
+	fprintf(aff4::getDebugOutput(), "%s[%d] : Create aff4:Unknown stream with Resource %s \n", __FILE__, __LINE__, resource.c_str());
+#endif
 	return std::make_shared<RepeatedImageStream>(resource, "UNKNOWN");
 }
 
 std::shared_ptr<IAFF4Stream> createUnreadableStream() {
+#if DEBUG
+	fprintf(aff4::getDebugOutput(), "%s[%d] : Create aff4:Unreadable stream \n", __FILE__, __LINE__);
+#endif
 	return std::make_shared<RepeatedImageStream>(aff4::lexicon::getLexiconString(aff4::Lexicon::AFF4_IMAGESTREAM_UNREADABLE), "UNREADABLEDATA");
 }
 
 std::shared_ptr<IAFF4Stream> createSymbolicStream(const std::string& resource) {
+#if DEBUG
+	fprintf(aff4::getDebugOutput(), "%s[%d] : Create aff4:Symbolic stream %s \n", __FILE__, __LINE__, resource.c_str());
+#endif
 	return std::make_shared<SymbolicImageStream>(resource);
 }
 
 std::shared_ptr<IAFF4Stream> createSymbolicStream(uint8_t symbol) {
+#if DEBUG
+	fprintf(aff4::getDebugOutput(), "%s[%d] : Create aff4:Symbolic stream %02X \n", __FILE__, __LINE__, symbol);
+#endif
 	std::string resource = aff4::lexicon::getLexiconString(aff4::Lexicon::AFF4_IMAGESTREAM_SYMBOLIC_PREFIX);
 	char buf[4];
 	std::snprintf(buf, 3, "%02X", symbol);